3 Answers
3

A glue record is a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone.

Say I own a DNS zone for example.com. I want to have DNS servers that're hosting the authoritative zone for this domain so that I can actually use it - adding records for the root of the domain, www, mail, etc. So, I put the name servers in the registration to delegate to them - those are always names, so we'll put in ns1.example.com and ns2.example.com.

There's the trick. The TLD's servers will delegate to the DNS servers in the whois record - but they're within example.com. They try to find ns1.example.com, ask the .com servers, and get referred back to... ns1.example.com.

What glue records do is to allow the TLD's servers to send extra information in their response to the query for the example.com zone - to send the IP address that's configured for the name servers, too. It's not authoritative, but it's a pointer to the authoritative servers, allowing for the loop to be resolved.

I requested that this answer be merged in from a duplicate question, as the existing answers did not explain the role of the ADDITIONAL section.

To see how it works, type this:
dig +trace +additional google.com SOA

This will trace the nameserver authority starting from the root servers (+trace). Adding +additional will also show you the ADDITIONAL section of each DNS server response. Normally most people think of DNS in terms of the QUESTION and the ANSWER sections, but ADDITIONAL also plays an important role: if the nameserver knows the answers to any queries that are related to the answer, it can pre-emptively supply those answers in the ADDITIONAL section without requiring additional queries from your client.

Note that the authoritative nameservers for google.com are rooted under the domain they're authoritative for. (ns1.google.com, ns2.google.com, etc.)

When you ask a nameserver to supply the list of nameservers for a domain, they will often supply a list of A-type records (IP addresses) in the ADDITIONAL section, not just the NS-type answers: these are called glue records, used to prevent circular dependencies. In this case, those A records are served from the TLD (.com, .org, etc.) nameservers based on the IP addresses that someone supplied the DNS registrar responsible for the domain. They can usually be changed by logging into the admin web interface they supply you.

(disclaimer: AAAA records containing IPV6 addresses can also be supplied as part of the glue, but I left this out for simplicity's sake.)

@converter42 To be fair, I don't think most sysadmins actually expect you to get that question right. I'm a DNS lead and I certainly don't. It does tell me when an interviewee knows DNS better than 80% of other admins though. :)
–
Andrew BFeb 18 at 16:00

Circular dependencies and glue records

Name servers in delegations are
identified by name, rather than by IP address. This means that a
resolving name server must issue another DNS request to find out the
IP address of the server to which it has been referred.
If the name
given in the delegation is a subdomain of the domain for which the
delegation is being provided, there is a circular dependency. In this
case the nameserver providing the delegation must also provide one or
more IP addresses for the authoritative nameserver mentioned in the
delegation. This information is called glue.

. . .

For example, if the authoritative name server
for example.org is ns1.example.org, a computer trying to resolve
www.example.org first resolves ns1.example.org. Since ns1 is contained
in example.org, this requires resolving example.org first, which
presents a circular dependency.
To break the dependency, the
nameserver for the org top level domain includes glue along with the
delegation for example.org. The glue records are address records that
provide IP addresses for ns1.example.org. The resolver uses one or
more of these IP addresses to query one of domain's authoritative
servers, which allows it to complete the DNS query.